• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Domain Controller Placement

    You should avoid making every Windows Server 2003 into a domain controller. This hurts performance by taking CPU cycles for replication and directory management. It also makes the replication topology unnecessarily complex.

    The initial number of domain controllers depends primarily on fault tolerance. You should always have at least two domain controllers in a domain to ensure that you have a full copy of Active Directory ready for action in case either server should fail. I recommend having three so that you can do maintenance on one server while the other two are up and ready for work.

    Reliability and performance then become the primary criteria for selecting domain controllers. Plan on putting at least two domain controllers in every large office (1000+ users) to get acceptable performance during morning logon and for fault tolerance.

    Put at least one domain controller in every office where you do not want users authenticating over the WAN. If you have a solid, fast network infrastructure, you might be able to draw the line at 50 users. If your infrastructure is slow or prone to failure, you might want to reduce the number to 10.

    If you do not have a domain controller in an office with member servers, a network WAN failure will eventually cut the users off from their local servers. This is because the Kerberos tickets eventually expire (10-hour default lifetime). You don't want to put the production floor of a factory down because some construction worker put a backhoe through the communication link to your domain controller. In these instances, you'll need a local domain controller.

    Global Catalog Servers

    Global Catalog servers are a vital component of your Active Directory architecture. The Windows authentication system relies on the Global Catalog to obtain Universal group membership. Client/server applications like Exchange 2000 rely on the GC for information. Many LDAP queries take a lot longer if the client is forced to walk the tree rather than query the GC.

    If a site has no GC server available, users will only be allowed to log on to the domain if a local domain controller has been configured to cache the GC information. Otherwise, they will get an error saying that no GC server can be contacted and logon has been denied. This restriction does not apply to administrators.

    Designating a domain controller as a GC server can significantly increase the hardware requirements for the server in a big network. If you have 200,000 users in your forest but only 20,000 or so in any one domain, the GC servers in each domain will have a fairly hefty Ntds.dit file to handle. You must size your server hardware accordingly.

    Place at least one GC in every large office. Smaller offices can either have a GC or a standard domain controller configured to cache GC information.

    If you have only one domain, you should enable the Global Catalog on every server. This ensures that a client can send a query to port 3268 on any server and get a response. There is no additional overhead or performance decrement for taking this action.

    DNS Secondaries

    The stability and reliability of a Windows Server 2003 domain absolutely depends on the stability and reliability of the dynamic DNS system that provides name resolution services for that domain. It does no good to put a domain controller in a branch office to achieve fault tolerance without placing a dynamic DNS secondary for the zone in the same office.

    The most straightforward way to distribute DNS services in conjunction with Active Directory is to use Active Directory Integrated zones (see Chapter 5, "Managing DNS," for details). This places the DNS records directly into Active Directory where every domain controller can reach them. All you need to do is install DNS on a domain controller and that's that. It will see the integrated zones and display them automatically. And thanks to the multiple-master nature of Active Directory, every domain controller running DNS can make changes to the zone.

    A few caveats apply when using Active Directory Integrated DNS zones. Foremost is the requirement that the DNS servers must also be domain controllers. You can, if you want, create standard secondaries that pull a copy of the zone from an Active Directory Integrated primary. As with standard DNS, this secondary copy will be read-only. You should always have at least one standard secondary DNS server so you can quickly recover a zone should there be a problem with Active Directory replication. You do not need to point any clients at this server. It's just there as an online backup.

    If a domain controller is running DNS, you should always configure the TCP/IP properties to point at another DNS server for name resolution. Pointing a domain controller at itself can result in a Catch-22 situation where the domain controller cannot replicate changes because it cannot find the IP address of its replication partners and it cannot update its copy of the zone to get those IP addresses because of the replication failure. You could also encounter problems during boot in which the Active Directory services start before DNS starts.

      Previous Section Next Section